On 2020-08-31 11:03, Kyotaro Horiguchi wrote:
> At Tue, 18 Aug 2020 16:43:47 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
>> Thank you very much. I'll do that after some polishing.
>>
>> A near-by discussion about OpenSSL3.0 conflicts with this but it's
>> easy to follow.
>
> Rebased. Fixed bogus tests and strange tentative API change of
> SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to
> register this to the coming CF.
Other systems that offer both a CRL file and a CRL directory usually
specify those using two separate configuration settings. Examples:
https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_ssl_crlpathhttps://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath
These are then presumably both passed to X509_STORE_load_locations(),
which supports specifying a file and directory concurrently.
I think that would be a preferable approach. In practical terms, it
would allow a user to introduce the directory method gradually without
having to convert the existing CRL file at the same time.